Maintained by: NLnet Labs

[Unbound-users] Unbound 1.4.8 returns sporadic SERVFAIL

W.C.A. Wijngaards
Mon Feb 21 12:50:58 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jan-Piet, Andreas,

Tested here, the ANY query triggers a validation attempt of the NS
record.  The NS record is bogus.  When it finds out the NS record is
bogus, unbound refuses to talk to those nameservers.  Therefore is
unable to fetch further data (the SSHFP request) for the zone.

Similar behaviour for the nameserver-glue A, AAAA: if they are bogus
unbound refuses to talk to those nameservers.

On 02/21/2011 12:36 PM, Andreas Schulze wrote:
> Am 21.02.2011 08:44 schrieb Jan-Piet Mens:
>> This is weird.
> yes.
> I'm surprised about three RRSIG for one RR:
> 
> $ dig @a.six53.net. jpmens.org. ns +dnssec +short
> a.six53.net.
> b.six53.net.
> c.six53.net.
> d.six53.net.
> NS 8 2 86400 20110303000000 20110217000000 50853 jpmens.org. APF6ZYf+cVySBHVBw+cA0rME4ZlG5r33bBZgtgcl/kEjDZCPqOYDIQj8 b/Zi1lFqL2X2qwI3DKL0VrN2XjDJeESMBdbcaYGygqPxH59cFDS9AX4b mHpJsjC5A5Nl6BA3xpe/Iw30UN7T0ohbEZlgfHTtm/VaMCDZvXyEFzwF JSo=
> NS 8 2 86400 20110303000000 20110217000000 50853 jpmens.org. BaFpHw3hi4v64JDpUmm2/TVFUCz0jHHeBOtEc0JJQuo4uYJtOVp9W97e KEVFzhnW1Y93utKXK9qkfZsBmPusHvuYLpQg+4065mOEoyEuaZ95247/ KJArGuHDNwHu/Xc35qvbzcTrcwof6T9yey6SuS0BNh1vMdlcGGATuphW RLo=
> NS 8 2 86400 20110303000000 20110217000000 50853 jpmens.org. OUShqrUPiUsTVq4A/jkIaCzyXE+8EfSubpggZsQYJD8ih6Yag9W3PlGV esNLi7XrQWxDbBghL/voFCDE0C2iHgt4K8Y0LXTpfr9lZ9n+soME+KsP w3n0TwgRw4GbE0XxgaVrUF7FZauh3FSebgp782QP6cpLjnAFWkJ1cze/ /ss=
> 
> may this be part of the problem ?
> 

Seems to be so,
Feb 21 12:47:32 unbound[22628:0] info: verify rrset <jpmens.org. NS IN>
Feb 21 12:47:32 unbound[22628:0] debug: verify sig 50853 8
Feb 21 12:47:32 unbound[22628:0] debug: verify: signature mismatch
Feb 21 12:47:32 unbound[22628:0] debug: verify sig 50853 8
Feb 21 12:47:32 unbound[22628:0] debug: verify: signature mismatch
Feb 21 12:47:32 unbound[22628:0] debug: verify sig 50853 8
Feb 21 12:47:32 unbound[22628:0] debug: verify: signature mismatch
Feb 21 12:47:32 unbound[22628:0] debug: rrset failed to verify: no valid
signatures for 1 algorithms

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1iUaIACgkQkDLqNwOhpPjs0wCgkEOGhZaQoUTlFmZwgOGicp78
CYIAmgJ9A+jEXyV+2p8qiqtXPao8Pinb
=j2k4
-----END PGP SIGNATURE-----